On Tue, Feb 22, 2022 at 2:15 AM Demi Marie Obenour <demioben...@gmail.com> wrote:
> On 2/21/22 14:16, Vitaly Zaitsev via devel wrote: > > On 21/02/2022 19:25, Demi Marie Obenour wrote: > >> FIDO keys are significantly more secure than OTPs, and FAS should get > >> support for them. OTPs are still phishable, whereas FIDO2 generally > >> isn’t. > > > > OTP is absolutely free. FIDO2 requires the purchase of a special > > hardware token. > > One must remember that anyone in the packagers group can (with a > modicum of effort) get code execution on a huge number of machines, > and is thus an incredibly attractive target for phishing attacks. > Developing a roadmap to encourage, and eventually require, the use of > hardware authenticators to submit packages is a reasonable precaution > in this threat environment. A hardware authenticator could be a FIDO2 > token, smart card, etc. > While it may make sense from the security standpoint, we also need to factor in the community/economic factor for Fedora contributors. Requiring the use of a hardware key then means that contributors have to spend their money to buy such a key, adding an additional hurdle for them to go through. Having to get the hardware key may also be prohibitive for contributors coming from developing countries, or who are low-income/unemployed, where they may already have a computer to use, but the added cost of a new hardware key could be a large burden. The only viable option I see for requiring the use of hardware keys would be if RedHat (or another sponsor) provided them to packagers when needed. This is probably prohibitive to do for the entire packager group, so instead it would make more sense to focus on the group that would expose the largest amount of the distribution - the proven packager group. This set of packagers is a smaller group, and they would have shown a dedication to the community/Fedora in the past to be approved by FESCO. It would probably be easier to convince Redhat/the Fedora Council to sponsor hardware keys for that core group than the community at large should the decision to require them be made. -Ian > > -- > Sincerely, > Demi Marie Obenour > (she/her/hers)_______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure